Ssl – configuring ssl in _default_ virtual host

apache-2.2ssl

There is a default virtualhost in webmin, the directives seems to same as the file ssl.conf. It seems it processes all requests on port 443 not handled by other virtual servers.

I tried to change the .crt and .key to my custom .crt and .key by changing the two lines

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /var/www/html/server.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /var/www/html/server.key

but there are errors after I click "apply changes" in webmin

Some of your private key files are encrypted for security reasons. In
order to read them you have to provide the pass phrases.

Server 6313213113.static.ctinets.com:443 (RSA) Enter pass
phrase:Apache:mod_ssl:Error: Private key not found.

How do I solve this problem?

* Update *

<VirtualHost 172.16.1.99:443>
SSLEngine on
SSLCertificateFile /var/www/html/server.crt
SSLCertificateKeyFile /var/www/html/server.key

    DocumentRoot /var/www/html
ServerName www.domain.com:443
    DirectoryIndex index.php index.html index.htm index.shtml 
    LogLevel debug
HostNameLookups off
#DefaultLanguage zh-cn
AddLanguage en .en
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
AddDefaultCharset UTF-8
AddCharset GB2312      .gb2312 .gb   
AddCharset utf-8       .utf8  
AddCharset big5        .big5 .b5  
UseCanonicalName off
php_value memory_limit 32M

</VirtualHost>

after i config about to httpd.conf

when i access http://www.domain.com:443 is accessable, but when i access https://www.domain.com, it can be accessable…….., what is the problem?

Best Answer

The private key file is itself encrypted with a passphrase. You need to remove this encryption so that Apache can load it without you typing the passphrase in manually.

You can use openssl to do this:

openssl pkey -in server.key -out server-nopassphrase.key

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

Listen 10.0.0.152:443

<VirtualHost 10.0.0.152:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/login.domain.com/current
ServerName login.domain.com

ServerAlias www.login.domain.com login.domain.com


LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/login.domain.com-access_log
ErrorLog /var/log/www/login.domain.com-error_log

<DIRECTORY /web0/cloud/login.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

AddType application/x-httpd-php .html

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/login.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/login.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Listen 10.0.0.151:443

<VirtualHost 10.0.0.151:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/admin.domain.com/current
ServerName admin.domain.com

ServerAlias www.admin.domain.com admin.domain.com

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/admin.domain.com-access_log
ErrorLog /var/log/www/admin.domain.com-error_log

<DIRECTORY /web0/cloud/admin.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/admin.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/admin.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>

Linux – Apache server keeps crashing regularly

I'm not saying this is what's happening but based on my own experience as a CentOS admin, it's most likely runaway apache/php processes taking down the server. I've seen this numerous times on CentOS 5. It's frustrating because there's usually not a trace of what happened in the log files. The machine just grinds to a halt due to physical memory and swap being sucked up by apache/php processes. You would think linux memory management or some daemon would jump in and say "hey stop" but it doesn't. It'll let apache grind your system to a halt.

Having said that, to see what's happening you'll need something that can monitor and log resource usage. I like to use a program called atop. Atop is a lot like the top program but it also takes a snapshot of resource usage at defined intervals. It's pretty simple to install.

wget http://www.atcomputing.nl/Tools/atop/packages/atop-1.23.tar.gz 
tar -zxvf atop-1.23.tar.gz
cd atop-1.23 && make install

Open /etc/atop/atop.daily with a text editor and change INTERVAL=600 to INTERVAL=60

Run the command /etc/atop/atop.daily from a command prompt to start it. Wait a few minutes and run atop -r /var/log/atop/atop_20091118 with the correct date of course.

Hit the t key to go forward in time and T to go back. Next time your server crashes do this and check the MEM free and SWP free lines. If you have memory problems these will be in red. Also look for numerous httpd lines under CMD. If apache/php is your problem there'll be a bunch of them.

If this is the case, I recommend looking at you're MaxClients setting in httpd.conf. If set too high, apache will gladly eat all of your memory causing your machine to crash. Apache/php can easily eat 40-50MB/process. If you multiply 40mb x MaxClients you'll get a rough idea of how much memory apache can potentially use. MaxClients usually defaults to 150 on CentOS so apache can potentially use 6GB of memory by default. This doesn't include memory your system needs for itself and other processes to run. Try setting it to a more realistic value based on the amount of memory you have like 40 if you have 2G of memory and see if that helps. Also if you have KeepAlive On, set KeepAliveTimeout to a low number like 2 or 3.

In my opinion CentOS's apache/php compilation is a real pos that should never have seen the light of day. It's buggy and crash prone. If you run a serious site, I highly recommend compiling your own version of apache/php or even using one of the newer high performance webservers like lighttpd or nginx with fgci php.

Best Answer

Related Solutions

Ssl – RHEL/Apache ssl.conf configuration issue

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Linux – Apache server keeps crashing regularly

Related Topic